Merge pull request #212 from negz/pro

Introduce a distinct ProviderConfig credentials field

apis/core/v1alpha1/resource.go

@@ -171,13 +171,45 @@ type ProviderSpec struct {
 	CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"`
 }
 
-// A ProviderConfigSpec defines the common way to get to the necessary objects
-// to connect to the provider.
+// A ProviderConfigSpec defines the desired state of a provider config. A
+// provider config may embed this type in its spec in order to support standard
+// fields. Provider configs may choose to avoid embedding this type as
+// appropriate, but are encouraged to follow its conventions.
 type ProviderConfigSpec struct {
-	// CredentialsSecretRef references a specific secret's key that contains
-	// the credentials that are used to connect to the provider.
+	// Credentials required to authenticate to this provider.
+	Credentials ProviderCredentials `json:"credentials"`
+}
+
+// A CredentialsSource is a source from which provider credentials may be
+// acquired.
+type CredentialsSource string
+
+const (
+	// CredentialsSourceNone indicates that a provider does not require
+	// credentials.
+	CredentialsSourceNone CredentialsSource = "None"
+
+	// CredentialsSourceSecret indicates that a provider should acquire
+	// credentials from a secret.
+	CredentialsSourceSecret CredentialsSource = "Secret"
+
+	// CredentialsSourceInjectedIdentity indicates that a provider should use
+	// credentials via its (pod's) identity; i.e. via IRSA for AWS,
+	// Workload Identity for GCP, Pod Identity for Azure, or in-cluster
+	// authentication for the Kubernetes API.
+	CredentialsSourceInjectedIdentity CredentialsSource = "InjectedIdentity"
+)
+
+// ProviderCredentials required to authenticate.
+type ProviderCredentials struct {
+	// Source of the provider credentials.
+	// +kubebuilder:validation:Enum=None;Secret;InjectedIdentity
+	Source CredentialsSource `json:"source"`
+
+	// A CredentialsSecretRef is a reference to a secret key that contains the
+	// credentials that must be used to connect to the provider.
 	// +optional
-	CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"`
+	SecretRef *SecretKeySelector `json:"secretRef,omitempty"`
 }
 
 // A ProviderConfigStatus defines the observed status of a ProviderConfig.

apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -80,11 +80,7 @@ func (in *LocalSecretReference) DeepCopy() *LocalSecretReference {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderConfigSpec) DeepCopyInto(out *ProviderConfigSpec) {
 	*out = *in
-	if in.CredentialsSecretRef != nil {
-		in, out := &in.CredentialsSecretRef, &out.CredentialsSecretRef
-		*out = new(SecretKeySelector)
-		**out = **in
-	}
+	in.Credentials.DeepCopyInto(&out.Credentials)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigSpec.
@@ -130,6 +126,26 @@ func (in *ProviderConfigUsage) DeepCopy() *ProviderConfigUsage {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProviderCredentials) DeepCopyInto(out *ProviderCredentials) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(SecretKeySelector)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderCredentials.
+func (in *ProviderCredentials) DeepCopy() *ProviderCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ProviderCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderSpec) DeepCopyInto(out *ProviderSpec) {
 	*out = *in

build

@@ -1 +1 @@
-Subproject commit 4f64913157a952dbe77cd9e05457d9abe695a1d4
+Subproject commit 066208d58f0529e36048c76a4ac46c3afd2b06d1

pkg/resource/fake/mocks.go

@@ -145,20 +145,6 @@ func (m *Orphanable) SetDeletionPolicy(p v1alpha1.DeletionPolicy) { m.Policy = p
 // GetDeletionPolicy gets the DeletionPolicy.
 func (m *Orphanable) GetDeletionPolicy() v1alpha1.DeletionPolicy { return m.Policy }
 
-// CredentialsSecretReferencer is a mock that satisfies CredentialsSecretReferencer
-// interface.
-type CredentialsSecretReferencer struct{ Ref *v1alpha1.SecretKeySelector }
-
-// SetCredentialsSecretReference sets CredentialsSecretReference.
-func (m *CredentialsSecretReferencer) SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector) {
-	m.Ref = r
-}
-
-// GetCredentialsSecretReference gets CredentialsSecretReference.
-func (m *CredentialsSecretReferencer) GetCredentialsSecretReference() *v1alpha1.SecretKeySelector {
-	return m.Ref
-}
-
 // CompositionReferencer is a mock that implements CompositionReferencer interface.
 type CompositionReferencer struct{ Ref *corev1.ObjectReference }
 
@@ -475,8 +461,6 @@ func (m *MockLocalConnectionSecretOwner) DeepCopyObject() runtime.Object {
 type ProviderConfig struct {
 	metav1.ObjectMeta
 
-	CredentialsSecretReferencer
-
 	UserCounter
 	v1alpha1.ConditionedStatus
 }

pkg/resource/interfaces.go

@@ -65,13 +65,6 @@ type Orphanable interface {
 	GetDeletionPolicy() v1alpha1.DeletionPolicy
 }
 
-// A CredentialsSecretReferencer may refer to a credential secret in an arbitrary
-// namespace.
-type CredentialsSecretReferencer interface {
-	GetCredentialsSecretReference() *v1alpha1.SecretKeySelector
-	SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector)
-}
-
 // A ProviderReferencer may reference a provider resource.
 type ProviderReferencer interface {
 	GetProviderReference() *v1alpha1.Reference
@@ -164,8 +157,6 @@ type ManagedList interface {
 type ProviderConfig interface {
 	Object
 
-	CredentialsSecretReferencer
-
 	UserCounter
 	Conditioned
 }