256 lines
9.0 KiB
Go
256 lines
9.0 KiB
Go
/*
|
|
Copyright 2019 The Crossplane Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package v1
|
|
|
|
import (
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
)
|
|
|
|
const (
|
|
// LabelKeyOwnerUID is the UID of the owner resource of a connection secret.
|
|
// Kubernetes provides owner/controller references to track ownership of
|
|
// resources including secrets, however, this would only work for in cluster
|
|
// k8s secrets. We opted to use a label for this purpose to be consistent
|
|
// across Secret Store implementations and expect all to support
|
|
// setting/getting labels.
|
|
LabelKeyOwnerUID = "secret.crossplane.io/owner-uid"
|
|
)
|
|
|
|
// PublishConnectionDetailsTo represents configuration of a connection secret.
|
|
type PublishConnectionDetailsTo struct {
|
|
// Name is the name of the connection secret.
|
|
Name string `json:"name"`
|
|
|
|
// Metadata is the metadata for connection secret.
|
|
// +optional
|
|
Metadata *ConnectionSecretMetadata `json:"metadata,omitempty"`
|
|
|
|
// SecretStoreConfigRef specifies which secret store config should be used
|
|
// for this ConnectionSecret.
|
|
// +optional
|
|
// +kubebuilder:default={"name": "default"}
|
|
SecretStoreConfigRef *Reference `json:"configRef,omitempty"`
|
|
}
|
|
|
|
// ConnectionSecretMetadata represents metadata of a connection secret.
|
|
// Labels are used to track ownership of connection secrets and has to be
|
|
// supported for any secret store implementation.
|
|
type ConnectionSecretMetadata struct {
|
|
// Labels are the labels/tags to be added to connection secret.
|
|
// - For Kubernetes secrets, this will be used as "metadata.labels".
|
|
// - It is up to Secret Store implementation for others store types.
|
|
// +optional
|
|
Labels map[string]string `json:"labels,omitempty"`
|
|
// Annotations are the annotations to be added to connection secret.
|
|
// - For Kubernetes secrets, this will be used as "metadata.annotations".
|
|
// - It is up to Secret Store implementation for others store types.
|
|
// +optional
|
|
Annotations map[string]string `json:"annotations,omitempty"`
|
|
// Type is the SecretType for the connection secret.
|
|
// - Only valid for Kubernetes Secret Stores.
|
|
// +optional
|
|
Type *corev1.SecretType `json:"type,omitempty"`
|
|
}
|
|
|
|
// SetOwnerUID sets owner object uid label.
|
|
func (in *ConnectionSecretMetadata) SetOwnerUID(uid types.UID) {
|
|
if in.Labels == nil {
|
|
in.Labels = map[string]string{}
|
|
}
|
|
in.Labels[LabelKeyOwnerUID] = string(uid)
|
|
}
|
|
|
|
// GetOwnerUID gets owner object uid.
|
|
func (in *ConnectionSecretMetadata) GetOwnerUID() string {
|
|
if u, ok := in.Labels[LabelKeyOwnerUID]; ok {
|
|
return u
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// SecretStoreType represents a secret store type.
|
|
// +kubebuilder:validation:Enum=Kubernetes;Vault;Plugin
|
|
type SecretStoreType string
|
|
|
|
const (
|
|
// SecretStoreKubernetes indicates that secret store type is
|
|
// Kubernetes. In other words, connection secrets will be stored as K8s
|
|
// Secrets.
|
|
SecretStoreKubernetes SecretStoreType = "Kubernetes"
|
|
|
|
// SecretStoreVault indicates that secret store type is Vault.
|
|
SecretStoreVault SecretStoreType = "Vault"
|
|
|
|
// SecretStorePlugin indicates that secret store type is Plugin and will be used with external secret stores.
|
|
SecretStorePlugin SecretStoreType = "Plugin"
|
|
)
|
|
|
|
// SecretStoreConfig represents configuration of a Secret Store.
|
|
type SecretStoreConfig struct {
|
|
// Type configures which secret store to be used. Only the configuration
|
|
// block for this store will be used and others will be ignored if provided.
|
|
// Default is Kubernetes.
|
|
// +optional
|
|
// +kubebuilder:default=Kubernetes
|
|
Type *SecretStoreType `json:"type,omitempty"`
|
|
|
|
// DefaultScope used for scoping secrets for "cluster-scoped" resources.
|
|
// If store type is "Kubernetes", this would mean the default namespace to
|
|
// store connection secrets for cluster scoped resources.
|
|
// In case of "Vault", this would be used as the default parent path.
|
|
// Typically, should be set as Crossplane installation namespace.
|
|
DefaultScope string `json:"defaultScope"`
|
|
|
|
// Kubernetes configures a Kubernetes secret store.
|
|
// If the "type" is "Kubernetes" but no config provided, in cluster config
|
|
// will be used.
|
|
// +optional
|
|
Kubernetes *KubernetesSecretStoreConfig `json:"kubernetes,omitempty"`
|
|
|
|
// Vault configures a Vault secret store.
|
|
// Deprecated: This API is scheduled to be removed in a future release.
|
|
// Vault should be used as a plugin going forward. See
|
|
// https://github.com/crossplane-contrib/ess-plugin-vault for more information.
|
|
// +optional
|
|
Vault *VaultSecretStoreConfig `json:"vault,omitempty"`
|
|
|
|
// Plugin configures External secret store as a plugin.
|
|
// +optional
|
|
Plugin *PluginStoreConfig `json:"plugin,omitempty"`
|
|
}
|
|
|
|
// PluginStoreConfig represents configuration of an External Secret Store.
|
|
type PluginStoreConfig struct {
|
|
// Endpoint is the endpoint of the gRPC server.
|
|
Endpoint string `json:"endpoint,omitempty"`
|
|
// ConfigRef contains store config reference info.
|
|
ConfigRef Config `json:"configRef,omitempty"`
|
|
}
|
|
|
|
// Config contains store config reference info.
|
|
type Config struct {
|
|
// APIVersion of the referenced config.
|
|
APIVersion string `json:"apiVersion"`
|
|
// Kind of the referenced config.
|
|
Kind string `json:"kind"`
|
|
// Name of the referenced config.
|
|
Name string `json:"name"`
|
|
}
|
|
|
|
// KubernetesAuthConfig required to authenticate to a K8s API. It expects
|
|
// a "kubeconfig" file to be provided.
|
|
type KubernetesAuthConfig struct {
|
|
// Source of the credentials.
|
|
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
|
|
Source CredentialsSource `json:"source"`
|
|
|
|
// CommonCredentialSelectors provides common selectors for extracting
|
|
// credentials.
|
|
CommonCredentialSelectors `json:",inline"`
|
|
}
|
|
|
|
// KubernetesSecretStoreConfig represents the required configuration
|
|
// for a Kubernetes secret store.
|
|
type KubernetesSecretStoreConfig struct {
|
|
// Credentials used to connect to the Kubernetes API.
|
|
Auth KubernetesAuthConfig `json:"auth"`
|
|
|
|
// TODO(turkenh): Support additional identities like
|
|
// https://github.com/crossplane-contrib/provider-kubernetes/blob/4d722ef914e6964e80e190317daca9872ae98738/apis/v1alpha1/types.go#L34
|
|
}
|
|
|
|
// VaultAuthMethod represent a Vault authentication method.
|
|
// https://www.vaultproject.io/docs/auth
|
|
type VaultAuthMethod string
|
|
|
|
const (
|
|
// VaultAuthToken indicates that "Token Auth" will be used to
|
|
// authenticate to Vault.
|
|
// https://www.vaultproject.io/docs/auth/token
|
|
VaultAuthToken VaultAuthMethod = "Token"
|
|
)
|
|
|
|
// VaultAuthTokenConfig represents configuration for Vault Token Auth Method.
|
|
// https://www.vaultproject.io/docs/auth/token
|
|
type VaultAuthTokenConfig struct {
|
|
// Source of the credentials.
|
|
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
|
|
Source CredentialsSource `json:"source"`
|
|
|
|
// CommonCredentialSelectors provides common selectors for extracting
|
|
// credentials.
|
|
CommonCredentialSelectors `json:",inline"`
|
|
}
|
|
|
|
// VaultAuthConfig required to authenticate to a Vault API.
|
|
type VaultAuthConfig struct {
|
|
// Method configures which auth method will be used.
|
|
Method VaultAuthMethod `json:"method"`
|
|
// Token configures Token Auth for Vault.
|
|
// +optional
|
|
Token *VaultAuthTokenConfig `json:"token,omitempty"`
|
|
}
|
|
|
|
// VaultCABundleConfig represents configuration for configuring a CA bundle.
|
|
type VaultCABundleConfig struct {
|
|
// Source of the credentials.
|
|
// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
|
|
Source CredentialsSource `json:"source"`
|
|
|
|
// CommonCredentialSelectors provides common selectors for extracting
|
|
// credentials.
|
|
CommonCredentialSelectors `json:",inline"`
|
|
}
|
|
|
|
// VaultKVVersion represent API version of the Vault KV engine
|
|
// https://www.vaultproject.io/docs/secrets/kv
|
|
type VaultKVVersion string
|
|
|
|
const (
|
|
// VaultKVVersionV1 indicates that Secret API is KV Secrets Engine Version 1
|
|
// https://www.vaultproject.io/docs/secrets/kv/kv-v1
|
|
VaultKVVersionV1 VaultKVVersion = "v1"
|
|
|
|
// VaultKVVersionV2 indicates that Secret API is KV Secrets Engine Version 2
|
|
// https://www.vaultproject.io/docs/secrets/kv/kv-v2
|
|
VaultKVVersionV2 VaultKVVersion = "v2"
|
|
)
|
|
|
|
// VaultSecretStoreConfig represents the required configuration for a Vault
|
|
// secret store.
|
|
type VaultSecretStoreConfig struct {
|
|
// Server is the url of the Vault server, e.g. "https://vault.acme.org"
|
|
Server string `json:"server"`
|
|
|
|
// MountPath is the mount path of the KV secrets engine.
|
|
MountPath string `json:"mountPath"`
|
|
|
|
// Version of the KV Secrets engine of Vault.
|
|
// https://www.vaultproject.io/docs/secrets/kv
|
|
// +optional
|
|
// +kubebuilder:default=v2
|
|
Version *VaultKVVersion `json:"version,omitempty"`
|
|
|
|
// CABundle configures CA bundle for Vault Server.
|
|
// +optional
|
|
CABundle *VaultCABundleConfig `json:"caBundle,omitempty"`
|
|
|
|
// Auth configures an authentication method for Vault.
|
|
Auth VaultAuthConfig `json:"auth"`
|
|
}
|