Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Injected Identity Source #336

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
132 commits
Select commit Hold shift + click to select a range
1aa48e3
go.mod: update all dependencies to latest versions
muvaf Aug 31, 2021
0467f33
go.mod: update go version to 1.16
muvaf Aug 31, 2021
202adf8
build: update build submodule
muvaf Aug 31, 2021
589072e
Merge pull request #284 from muvaf/upd-dependencies
negz Sep 1, 2021
a3a59c9
Account for two different kinds of consistency issues
negz Aug 16, 2021
8e780ec
Don't rely on removal of the external-create-pending annotation
negz Sep 1, 2021
1d64e22
Merge pull request #283 from negz/creat
negz Sep 3, 2021
f4556df
Add backport workflow
negz Sep 7, 2021
4d28ff1
Merge pull request #286 from negz/flows
negz Sep 7, 2021
d3a1443
Add commands Github workflow
negz Sep 7, 2021
9779b31
Merge pull request #287 from negz/flows
negz Sep 7, 2021
1a64750
Add an errors package with a similar API to github.com/pkg/errors
negz Sep 9, 2021
af4e148
Replace github.com/pkg/errors with our own pkg/errors.
negz Sep 9, 2021
3aa81c4
Remove TODO about cmpopts.EquateErrors
negz Sep 9, 2021
6a7a44a
Merge pull request #291 from negz/error
negz Sep 13, 2021
fe7e495
Mark Target APIs as deprecated.
negz Sep 13, 2021
f1ff9b1
Set Creating and Deleting conditions close to Status().Update() calls
negz Sep 15, 2021
9f3f799
Merge pull request #292 from negz/creation
negz Sep 17, 2021
4bd8016
Add a feature flag package
negz Sep 20, 2021
6ae3151
Switch ratelimiter package to more generic names
negz Sep 20, 2021
b733547
Add a controller.Options type
negz Sep 20, 2021
efa7256
Add a convenience function for deriving controller-runtime options
negz Sep 21, 2021
d89312b
Make nil *feature.Flags somewhat usable
negz Sep 21, 2021
f2b0ca3
Add DefaultOptions
negz Sep 21, 2021
658dfc7
Merge pull request #293 from negz/coopt
negz Sep 22, 2021
277dabb
Support true global reconcile rate limiting
negz Sep 24, 2021
f7ed086
Don't rate limit requests that are already delayed by rate limiting
negz Sep 25, 2021
70a386a
Return, don't mutate, a rate limited *rest.Config
negz Sep 25, 2021
d6c9f3e
managed: make finalizer name string public so that it can be used in …
muvaf Sep 29, 2021
d566121
Merge pull request #295 from muvaf/finalize-it-now
muvaf Sep 30, 2021
aefd94b
Add expand wildcards to Paved
turkenh Oct 2, 2021
77b66f3
Add unit tests for paved.ExpandWildcards
turkenh Oct 4, 2021
47bff13
Proper printing for wildcards
turkenh Oct 4, 2021
579c183
Merge pull request #297 from turkenh/pave-with-wildcards
muvaf Oct 4, 2021
ee4131e
Plumb up reconciler contexts
negz Oct 14, 2021
bf5d551
Merge pull request #298 from negz/contextual
negz Oct 14, 2021
67edf4a
Merge pull request #294 from negz/re-re-re-reconcile
negz Oct 25, 2021
bf53464
Add Disconnect call in Reconcile
vaspahomov Oct 1, 2021
a5ff67d
remove named returns; disconnect error should not requeue reconcile
vaspahomov Oct 28, 2021
cc6f044
Only attempt object scheme parsing if object is not registered in meta
hasheddan Oct 29, 2021
f3ea898
Use Wrapf for annotating parser errors
hasheddan Oct 29, 2021
c72bcdd
Merge pull request #300 from hasheddan/better-parse
hasheddan Oct 29, 2021
7b45316
add NewNopFinalizer
fahedouch Nov 8, 2021
21928d2
Merge pull request #303 from fahedouch/add-nop-finalizer
negz Nov 22, 2021
5cc9857
Merge pull request #296 from vaspahomov/feature/disconnect-in-reconcile
negz Dec 2, 2021
295de47
Tweak ExternalDisconnecter implementation
negz Dec 2, 2021
d43d510
Merge pull request #306 from negz/dc
negz Dec 2, 2021
5452374
update go to v1.17.5
muvaf Jan 6, 2022
65392c8
add changes coming with go 1.17
muvaf Jan 6, 2022
2c8369b
update k8s libraries to latest
muvaf Jan 6, 2022
428b7c3
Merge pull request #308 from muvaf/upd-go
muvaf Jan 6, 2022
28d33bf
Add initial types for External Secret Store
turkenh Feb 7, 2022
4b082d3
Extend managed resource with new API
turkenh Feb 8, 2022
300dc31
Define secret store interface
turkenh Feb 8, 2022
05fff0e
Add kubernetes secret store
turkenh Feb 8, 2022
cb4062f
Add a placeholder Vault secret store
turkenh Feb 8, 2022
8cc6436
Add connection secret manager
turkenh Feb 8, 2022
31c8287
Remove reviewable and check-diff from Makefile
turkenh Feb 9, 2022
19034f2
Fetch secret store config and complete connection manager
turkenh Feb 9, 2022
936e121
Add fake store for unit tests
turkenh Feb 10, 2022
bc23452
Use seperate interfaces to keep existing MRs compiling
turkenh Feb 10, 2022
48f7c04
Fix namespace calculation for secrets
turkenh Feb 10, 2022
3c908b7
Refactor naming and package structure
turkenh Feb 15, 2022
9e13a88
Add unit tests for connection manager
turkenh Feb 15, 2022
a31600d
Do not unmarshal if no metadata provided
turkenh Feb 16, 2022
88c4d27
Remove publishConnectionDetailsTo from managed resource spec
turkenh Feb 16, 2022
258add4
Resolve first pass of comments in ESS foundation
turkenh Feb 17, 2022
cfcec11
Do not use unstructured client for StoreConfig
turkenh Feb 17, 2022
3215c89
Add unit tests for Kubernetes secret store
turkenh Feb 18, 2022
21f1473
Fix optional fields in connection details API
turkenh Feb 25, 2022
15cf494
Simplify kubernetes client by reusing clientcmd method
turkenh Feb 25, 2022
06c155d
Define scheme for connection secret metadata
turkenh Mar 1, 2022
1d36dd3
More unit tests for kubernetes package
turkenh Mar 1, 2022
31cce62
Mark connection secret metadata fields as optional
turkenh Mar 2, 2022
3232ffa
Merge pull request #321 from turkenh/ess-foundation
negz Mar 2, 2022
ae55806
Add token auth config to api
turkenh Feb 21, 2022
ac03ae3
Add initial implementation Vault as Secret Store
turkenh Feb 21, 2022
796c2ec
Implement client for KV Secrets API
turkenh Feb 22, 2022
ba2ece4
Extend KV client for v2 engine
turkenh Feb 24, 2022
551b414
Use metadata API with scheme
turkenh Mar 2, 2022
df72fd3
Add unit tests for Vault KV client
turkenh Mar 2, 2022
71c2ae8
Add unit tests for Vault Secret Store
turkenh Mar 2, 2022
155dc9d
package.parser: make Or linter work with arbitrary number of linters …
muvaf Mar 7, 2022
d591b5e
Vault ESS - resolve comments and add support for custom CA bundle
turkenh Mar 7, 2022
1bb01bd
Merge pull request #322 from turkenh/ess-vault
negz Mar 8, 2022
90b7988
parser.linter: use strings.Join instead of strings.TrimSuffix to make…
muvaf Mar 9, 2022
b35cdab
Merge pull request #324 from muvaf/parser-or
muvaf Mar 9, 2022
e0edbc5
Define types for using ESS with composition
turkenh Mar 3, 2022
3ce0d92
Refactor packages for connection details types and interfaces
turkenh Mar 3, 2022
b19ffdd
Move features package to runtime
turkenh Mar 4, 2022
c55240a
Add PublishConnectionDetailsTo to Managed resource spec
turkenh Mar 4, 2022
60059a2
Add PublishConnectionDetailsTo to Composition types
turkenh Mar 4, 2022
c8cc06c
Implement ConnectionPropagator in connection.DetailsManager
turkenh Mar 4, 2022
2f22469
Use store.KeyValue in connection.store package
turkenh Mar 9, 2022
5273c0f
Move features package to individual repos
turkenh Mar 9, 2022
bbbe8f8
Return proper error if Secret Store disabled but API used
turkenh Mar 9, 2022
acaeae2
Add more unit tests for Connection Details Manager
turkenh Mar 9, 2022
867c9bb
Track connection secret owner with label
turkenh Mar 10, 2022
86fb15d
Extend Secret Store interface with more power
turkenh Mar 10, 2022
2d3b3de
Add metadata support for Vault kv v1
turkenh Mar 10, 2022
ee3fb97
Fix writeOption conversion and add unit tests
turkenh Mar 10, 2022
ff57cdc
Ensure secret owned by object before delete
turkenh Mar 11, 2022
d7cb4e6
Fix metadata handling with Vault v1
turkenh Mar 11, 2022
6966b5a
Merge pull request #323 from turkenh/ess-composition
muvaf Mar 11, 2022
80debfa
Fix owner not being set for delete
turkenh Mar 11, 2022
6f9579f
Use string instead if interface for KVSecret data
turkenh Mar 12, 2022
754abc4
Separate Vault KV client for v1 and v2
turkenh Mar 13, 2022
79ea2fe
Add comment for linter and use types.UID for uid parameter
turkenh Mar 15, 2022
988c9ba
Merge pull request #325 from turkenh/ess-fixes
muvaf Mar 15, 2022
cdc7266
webhook: add validator struct for chained execution of validation web…
muvaf Apr 5, 2022
0b23ec1
webhook: add mutator struct for chained execution of mutating webhook…
muvaf Apr 6, 2022
f655302
webhook.validator: add options to the initializer
muvaf Apr 6, 2022
43f716a
webhook.validator: add unit tests
muvaf Apr 6, 2022
ac7cf20
Support for having circular dependencies while using referencers
sergenyalcin Apr 14, 2022
ec82fef
Add a new policy about resolving references for every reconcile loop
sergenyalcin Apr 16, 2022
4f95cc7
owners: add turkenh as maintainer since he is a maintainer in crossplane
muvaf Apr 19, 2022
85ab1c2
Merge pull request #329 from muvaf/hasan
muvaf Apr 20, 2022
85f12b9
webhook.mutator: add unit tests
muvaf Apr 6, 2022
0e8935d
Merge pull request #326 from muvaf/webhook-chains
muvaf Apr 21, 2022
66e5e7a
Re-design the Policy API
sergenyalcin Apr 25, 2022
e2fb202
Add policy api for Selector
sergenyalcin May 12, 2022
95e98e4
Empty commit for the v0.16.0 release
jbw976 May 17, 2022
edc27bf
Merge pull request #332 from jbw976/empty-for-v0.16.0
jbw976 May 17, 2022
38e79f4
Preserve order of reference resolution
sergenyalcin May 30, 2022
5770f19
Add unit test cases
sergenyalcin Jun 1, 2022
afe2486
Use kubebuilder enum for new policy fields
sergenyalcin Jun 13, 2022
75dda89
Merge pull request #328 from sergenyalcin/fix-circular-reference
muvaf Jun 13, 2022
23dad77
Add "IfNotPresent" to ResolvePolicy enum
sergenyalcin Jun 16, 2022
a520b60
Merge pull request #334 from sergenyalcin/fix-policy-enums
muvaf Jun 16, 2022
08940fe
Added Injected Identity Source
Jun 20, 2022
9622506
wip
Jun 22, 2022
96368b3
wip
Jun 22, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/workflows/backport.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Backport

on:
# NOTE(negz): This is a risky target, but we run this action only when and if
# a PR is closed, then filter down to specifically merged PRs. We also don't
# invoke any scripts, etc from within the repo. I believe the fact that we'll
# be able to review PRs before this runs makes this fairly safe.
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
pull_request_target:
types: [closed]
# See also commands.yml for the /backport triggered variant of this workflow.

jobs:
# NOTE(negz): I tested many backport GitHub actions before landing on this
# one. Many do not support merge commits, or do not support pull requests with
# more than one commit. This one does. It also handily links backport PRs with
# new PRs, and provides commentary and instructions when it can't backport.
# The main gotchas with this action are that it _only_ supports merge commits,
# and that PRs _must_ be labelled before they're merged to trigger a backport.
open-pr:
runs-on: ubuntu-18.04
if: github.event.pull_request.merged
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0

- name: Open Backport PR
uses: zeebe-io/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
github_workspace: ${{ github.workspace }}
version: v0.0.4
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:

env:
# Common versions
GO_VERSION: '1.16'
GO_VERSION: '1.17'
GOLANGCI_VERSION: 'v1.31'
DOCKER_BUILDX_VERSION: 'v0.4.2'

Expand Down
92 changes: 92 additions & 0 deletions .github/workflows/commands.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Comment Commands

on: issue_comment

jobs:
points:
runs-on: ubuntu-18.04
if: startsWith(github.event.comment.body, '/points')

steps:
- name: Extract Command
id: command
uses: xt0rted/slash-command-action@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
command: points
reaction: "true"
reaction-type: "eyes"
allow-edits: "false"
permission-level: write
- name: Handle Command
uses: actions/github-script@v4
env:
POINTS: ${{ steps.command.outputs.command-arguments }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const points = process.env.POINTS

if (isNaN(parseInt(points))) {
console.log("Malformed command - expected '/points <int>'")
github.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: "confused"
})
return
}
const label = "points/" + points

// Delete our needs-points-label label.
try {
await github.issues.deleteLabel({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
name: ['needs-points-label']
})
console.log("Deleted 'needs-points-label' label.")
}
catch(e) {
console.log("Label 'needs-points-label' probably didn't exist.")
}

// Add our points label.
github.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: [label]
})
console.log("Added '" + label + "' label.")

# NOTE(negz): See also backport.yml, which is the variant that triggers on PR
# merge rather than on comment.
backport:
runs-on: ubuntu-18.04
if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/backport')
steps:
- name: Extract Command
id: command
uses: xt0rted/slash-command-action@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
command: backport
reaction: "true"
reaction-type: "eyes"
allow-edits: "false"
permission-level: write

- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0

- name: Open Backport PR
uses: zeebe-io/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
github_workspace: ${{ github.workspace }}
version: v0.0.4
10 changes: 0 additions & 10 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -57,16 +57,6 @@ cobertura:
grep -v zz_generated.deepcopy | \
$(GOCOVER_COBERTURA) > $(GO_TEST_OUTPUT)/cobertura-coverage.xml

# Ensure a PR is ready for review.
reviewable: generate lint
@go mod tidy

# Ensure branch is clean.
check-diff: reviewable
@$(INFO) checking that branch is clean
@git diff --quiet || $(FAIL)
@$(OK) branch is clean

# Update the submodules, such as the common build scripts.
submodules:
@git submodule sync
Expand Down
3 changes: 2 additions & 1 deletion OWNERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@ guidelines and responsibilities for the steering committee and maintainers.

* Nic Cope <[email protected]> ([negz](https://github.com/negz))
* Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))
* Muvaffak Onus <[email protected]> ([muvaf](https://github.com/muvaf))
* Muvaffak Onuş <[email protected]> ([muvaf](https://github.com/muvaf))
* Hasan Türken <[email protected]> ([turkenh](https://github.com/turkenh))
3 changes: 2 additions & 1 deletion apis/common/v1/condition_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,10 @@ import (
"testing"

"github.com/google/go-cmp/cmp"
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/crossplane/crossplane-runtime/pkg/errors"
)

func TestConditionEqual(t *testing.T) {
Expand Down
226 changes: 226 additions & 0 deletions apis/common/v1/connection_details.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,226 @@
/*
Copyright 2019 The Crossplane Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1

import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
)

const (
// LabelKeyOwnerUID is the UID of the owner resource of a connection secret.
// Kubernetes provides owner/controller references to track ownership of
// resources including secrets, however, this would only work for in cluster
// k8s secrets. We opted to use a label for this purpose to be consistent
// across Secret Store implementations and expect all to support
// setting/getting labels.
LabelKeyOwnerUID = "secret.crossplane.io/owner-uid"
)

// PublishConnectionDetailsTo represents configuration of a connection secret.
type PublishConnectionDetailsTo struct {
// Name is the name of the connection secret.
Name string `json:"name"`

// Metadata is the metadata for connection secret.
// +optional
Metadata *ConnectionSecretMetadata `json:"metadata,omitempty"`

// SecretStoreConfigRef specifies which secret store config should be used
// for this ConnectionSecret.
// +optional
// +kubebuilder:default={"name": "default"}
SecretStoreConfigRef *Reference `json:"configRef,omitempty"`
}

// ConnectionSecretMetadata represents metadata of a connection secret.
// Labels are used to track ownership of connection secrets and has to be
// supported for any secret store implementation.
type ConnectionSecretMetadata struct {
// Labels are the labels/tags to be added to connection secret.
// - For Kubernetes secrets, this will be used as "metadata.labels".
// - It is up to Secret Store implementation for others store types.
// +optional
Labels map[string]string `json:"labels,omitempty"`
// Annotations are the annotations to be added to connection secret.
// - For Kubernetes secrets, this will be used as "metadata.annotations".
// - It is up to Secret Store implementation for others store types.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
// Type is the SecretType for the connection secret.
// - Only valid for Kubernetes Secret Stores.
// +optional
Type *corev1.SecretType `json:"type,omitempty"`
}

// SetOwnerUID sets owner object uid label.
func (in *ConnectionSecretMetadata) SetOwnerUID(uid types.UID) {
if in.Labels == nil {
in.Labels = map[string]string{}
}
in.Labels[LabelKeyOwnerUID] = string(uid)
}

// GetOwnerUID gets owner object uid.
func (in *ConnectionSecretMetadata) GetOwnerUID() string {
if u, ok := in.Labels[LabelKeyOwnerUID]; ok {
return u
}
return ""
}

// SecretStoreType represents a secret store type.
type SecretStoreType string

const (
// SecretStoreKubernetes indicates that secret store type is
// Kubernetes. In other words, connection secrets will be stored as K8s
// Secrets.
SecretStoreKubernetes SecretStoreType = "Kubernetes"

// SecretStoreVault indicates that secret store type is Vault.
SecretStoreVault SecretStoreType = "Vault"
)

// SecretStoreConfig represents configuration of a Secret Store.
type SecretStoreConfig struct {
// Type configures which secret store to be used. Only the configuration
// block for this store will be used and others will be ignored if provided.
// Default is Kubernetes.
// +optional
// +kubebuilder:default=Kubernetes
Type *SecretStoreType `json:"type,omitempty"`

// DefaultScope used for scoping secrets for "cluster-scoped" resources.
// If store type is "Kubernetes", this would mean the default namespace to
// store connection secrets for cluster scoped resources.
// In case of "Vault", this would be used as the default parent path.
// Typically, should be set as Crossplane installation namespace.
DefaultScope string `json:"defaultScope"`

// Kubernetes configures a Kubernetes secret store.
// If the "type" is "Kubernetes" but no config provided, in cluster config
// will be used.
// +optional
Kubernetes *KubernetesSecretStoreConfig `json:"kubernetes,omitempty"`

// Vault configures a Vault secret store.
// +optional
Vault *VaultSecretStoreConfig `json:"vault,omitempty"`
}

// KubernetesAuthConfig required to authenticate to a K8s API. It expects
// a "kubeconfig" file to be provided.
type KubernetesAuthConfig struct {
// Source of the credentials.
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
Source CredentialsSource `json:"source"`

// CommonCredentialSelectors provides common selectors for extracting
// credentials.
CommonCredentialSelectors `json:",inline"`
}

// KubernetesSecretStoreConfig represents the required configuration
// for a Kubernetes secret store.
type KubernetesSecretStoreConfig struct {
// Credentials used to connect to the Kubernetes API.
Auth KubernetesAuthConfig `json:"auth"`

// TODO(turkenh): Support additional identities like
// https://github.com/crossplane-contrib/provider-kubernetes/blob/4d722ef914e6964e80e190317daca9872ae98738/apis/v1alpha1/types.go#L34
}

// VaultAuthMethod represent a Vault authentication method.
// https://www.vaultproject.io/docs/auth
type VaultAuthMethod string

const (
// VaultAuthToken indicates that "Token Auth" will be used to
// authenticate to Vault.
// https://www.vaultproject.io/docs/auth/token
VaultAuthToken VaultAuthMethod = "Token"
)

// VaultAuthTokenConfig represents configuration for Vault Token Auth Method.
// https://www.vaultproject.io/docs/auth/token
type VaultAuthTokenConfig struct {
// Source of the credentials.
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
Source CredentialsSource `json:"source"`

// CommonCredentialSelectors provides common selectors for extracting
// credentials.
CommonCredentialSelectors `json:",inline"`
}

// VaultAuthConfig required to authenticate to a Vault API.
type VaultAuthConfig struct {
// Method configures which auth method will be used.
Method VaultAuthMethod `json:"method"`
// Token configures Token Auth for Vault.
// +optional
Token *VaultAuthTokenConfig `json:"token,omitempty"`
}

// VaultCABundleConfig represents configuration for configuring a CA bundle.
type VaultCABundleConfig struct {
// Source of the credentials.
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
Source CredentialsSource `json:"source"`

// CommonCredentialSelectors provides common selectors for extracting
// credentials.
CommonCredentialSelectors `json:",inline"`
}

// VaultKVVersion represent API version of the Vault KV engine
// https://www.vaultproject.io/docs/secrets/kv
type VaultKVVersion string

const (
// VaultKVVersionV1 indicates that Secret API is KV Secrets Engine Version 1
// https://www.vaultproject.io/docs/secrets/kv/kv-v1
VaultKVVersionV1 VaultKVVersion = "v1"

// VaultKVVersionV2 indicates that Secret API is KV Secrets Engine Version 2
// https://www.vaultproject.io/docs/secrets/kv/kv-v2
VaultKVVersionV2 VaultKVVersion = "v2"
)

// VaultSecretStoreConfig represents the required configuration for a Vault
// secret store.
type VaultSecretStoreConfig struct {
// Server is the url of the Vault server, e.g. "https://vault.acme.org"
Server string `json:"server"`

// MountPath is the mount path of the KV secrets engine.
MountPath string `json:"mountPath"`

// Version of the KV Secrets engine of Vault.
// https://www.vaultproject.io/docs/secrets/kv
// +optional
// +kubebuilder:default=v2
Version *VaultKVVersion `json:"version,omitempty"`

// CABundle configures CA bundle for Vault Server.
// +optional
CABundle *VaultCABundleConfig `json:"caBundle,omitempty"`

// Auth configures an authentication method for Vault.
Auth VaultAuthConfig `json:"auth"`
}
Loading